Re: [DNSOP] extension of DoH to authoritative servers
Ted Lemon <mellon@fugue.com> Tue, 12 February 2019 18:44 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51B12130DE7 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 10:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHQwGpSD2yhr for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34999130DC4 for <dnsop@ietf.org>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
Received: by mail-pl1-x62f.google.com with SMTP id 101so1709591pld.6 for <dnsop@ietf.org>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=yn5oGD0lhfyUbll2X2YSOr4H3oSklWLzK8SdvAHBRDnixvCBf4vP17gL7HsN65tEJ1 PmMxdrCFYvFESUAdvszQSuMtOmqP6uyarNwrKfBQIBQ78ouK4SKpmf0d117J2+BWQc+/ m9T+jA5pJSNxWM24DC76K3QmUb1k16QsnjPXkf9BAf7A3++4MgPXzR+L2gfx9Qn9/ioV BurknxUX1+4nEG/xeEYw1SXrhhHQuJ4y/GNurdd6+s1VntoFvB6s7hTNYoAtS3JcnUK6 1pTjNu47sW63KYkaGDZ2WkXdn/1kN4L3+fW4GzfvbFi5NGA9X3Hfv/SgDt4D/waeV6+X LMfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=nix0VfQlwmp25s2av66mjfdkjoqOtjjLExHrOLNRK7ImaDNa2v7iVMTHigco0pgR0t leNtyfTmALpxSOqEaa9R18hdCYeE1IJ9kfupj6UKfWGLWYmsiIaH6v9A35rkFCakXWDr Y7c+mu1tmjTnSg/jjihKX+L52ZBjUOhjNcb6d/Hi5Lo99wFBuhAyDGZvKR9wQdAMAGCZ RMxTW2DzR9C6CPIDAujxylY6NaO2X0iLlLJ2U7CsSUM2imTwfy7MWfY63J8iW/maUmdz kHoJGylT3iBHckFnNE9titRcoCAAEUnajNSevJ8FLlXy+ubFR+DN7zcaJBqG/pBCs5B5 WL5g==
X-Gm-Message-State: AHQUAuamW4wOONfZ7uuKrUoQaiTukksWUeFUTWQpFweAis4BF7FloQob NDMUR1lYn809V0bUGFWVAqb+NQ==
X-Google-Smtp-Source: AHgI3IaNuly8YQ1QdS0pJtai6Ir/e3WRZUMz9xe5vzyedDlbK2th0dY6ulinikAuSJf2SYjK/1gmXA==
X-Received: by 2002:a17:902:aa44:: with SMTP id c4mr5312204plr.91.1549997043626; Tue, 12 Feb 2019 10:44:03 -0800 (PST)
Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id j3sm7027281pff.82.2019.02.12.10.44.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:44:02 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 12 Feb 2019 10:44:01 -0800
In-Reply-To: <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org>
Cc: David Conrad <drc@virtualized.org>, dnsop <dnsop@ietf.org>
To: Paul Vixie <paul@redbarn.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n40z21lGiuWwVxazqyZ1p5ARDXk>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 18:44:06 -0000
On Feb 12, 2019, at 10:34 AM, Paul Vixie <paul@redbarn.org> wrote: > netflow. such traffic _looks_ abnormal. > > the deliberate design premise of DoH is that it look normal. It’s either one or the other. DoH is such traffic. If it looks abnormal, you can do something about it. If it doesn’t, you can’t. It’s not the case that nefarious traffic that is not DoH is special in looking different. Or rather, to the extent that you are good at identifying and blocking such traffic, that will naturally select for solutions that are less easily identified, and eventually the steady state will be exactly what you are afraid of with DoH. To the extent that DoH is less obvious than these other techniques, you could legitimately say that it is an example of this process of natural selection. It just happens to be visible to you, whereas all the other examples are not, because they are being done by black hats, not by the IETF.
- [DNSOP] extension of DoH to authoritative servers zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jeremy Rand
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Joe Abley
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Patrik Fältström
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Benno Overeinder
- Re: [DNSOP] extension of DoH to authoritative ser… Vittorio Bertola
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- [DNSOP] DoH vs DoT vs network operators, and requ… Brian Dickson
- Re: [DNSOP] DoH vs DoT vs network operators, and … Warren Kumari
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- [DNSOP] Multiplexing DNS & HTTP over TLS (was: ex… Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Bjørn Mork
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was… Joe Abley
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Klaus Malorny
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Tony Finch
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS John Levine
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Warren Kumari